--- Begin Message ---
- To: Boris Pek <Tehnick-8@yandex.ru>
- Cc: 673457-done@bugs.debian.org
- Subject: Re: Bug#673457: RFS: psi-plus-i18n/0.15.5338.4-1 [ITP] -- translation files for Psi+
- From: David Prévot <taffit@debian.org>
- Date: Wed, 26 Sep 2012 22:24:09 -0400
- Message-id: <5063B8C9.9060101@debian.org>
- In-reply-to: <165271348695545@web26g.yandex.ru>
- References: <1704791348563420__11682.392578996$1348563640$gmane$org@web5g.yandex.ru> <[🔎] 506242F3.5010309@debian.org> <165271348695545@web26g.yandex.ru>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Boris,
Le 26/09/2012 17:39, Boris Pek a écrit :
> I see you are willing to sponsor package. Great!
Yes, I don't do that a lot, but this one seems simple enough for me (and
given the initial good shape, I hope to get rid of it pretty soon by
using the new dm-allow thingie if you don't become a DD quickly enough ;).
>> Other people looking for a sponsor for a localization-only package
>> or localization-only update are welcome to (X-Debbugs)-CC
>> debian-i8n@l.d.o where localization-friendly people may be happy to help.
>
> Thank you for info. I wasn't aware that they can also upload packages.
That's not its main purpose, but there are for sure i18n-friendly people
there.
> There is no constant tarball in GitHub: it is generated each time when it is
> asked. So we do not need to keep original tarball in Debian.
Isn't the generated tarball built from the same files always the same?
It totally fails to provide a reliable (as in cryptographic) way to make
sure the downloaded upstream tarball is what one could expect.
You should at least consider signing the tags in the Git repository.
(And no, including a corrupted l10n upstream package hosted in a well
known place is really not a theoretical nightmare [0].)
0: http://sourceforge.net/blog/phpmyadmin-back-door/
> These localization
> files are just regular XML files and they can be compressed very effectively.
This concern should be addressed upstream (the upstream host provider).
Some more remarks:
“Pre-Depends: dpkg (>= 1.15.6~)” seems pointless: it can only help on
*upgrade* for some derivatives, but is of no use since the package is
not already present in those derivatives.
Conflicts, Replaces and Provides psi-plus-i18n too since this package
had not yet been distributed. Of course, if the package has already been
distributed elsewhere, those two remarks won't stand.
> Package was updated. Could you check and upload it?
Done, thanks for your work.
Regards
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQY7jIAAoJELgqIXr9/gnyPCgP/3JCsg/5up8d009biN7LqVgw
svEOaz3RjT994Hy6iG+YC01sssnMzRmTEWZjwERRiDnEVkFKyCraW+jnSpwSKFOc
2AbORTWTstVoaWPFSASh9To+47nDTF4HC9xkNgICYNN1Boged/04ffbDLJn9+SjT
UC35l3ByAC8LXsZAAvGUx+vlE6hBz0pCV+VQ5exm0GyWAQwdE0aDHyuNdauugenQ
K2pDXqrKc9Lma25gB1aVcNFyBSUxwndd6KdVN9hL5cYR7Tv3OwjpDhZ9M5lD+0sG
t5xgwNXJ2PAp8+7O7I66MyBIOHny80+z3SQ2oGD8spNNUw4k07MayS2yCyo7AA1G
If+XdpSQhIt5xFPrrbFD8r99XLCz35QKsKBmI+JRI4Ry1YOf8+Ahio8kL/S2XGZa
LXi9ZRFiQDyl10LWEGLccLNa+kLk3SqMLV1oyhLRXaGM6oAV+CP44w3koF8dfoe4
hKIr0YO/QsYptBldmXKUdGsnM3TfMZ0AMLJgrkQ0XRpUd2L1KqahILF3BSlLpTSz
7Ien7fmi8yA2AQJnMU/9wNsxKsIp+7C3UnuS9+d9qhchYRqCBEFsN+YWadKxxKw4
566OIRVlTUnhA8doDXaCswY3d8UBfrcUnCKXqXQtK3THClSgRlaGDwhDlp0Mh4mY
FQcDW7QjxAqHm5NrW3HO
=1MkF
-----END PGP SIGNATURE-----
--- End Message ---